CVE-2026-23830: Critical SandboxJS Flaw (CVSS 10) Allows Total Sandbox Escape

A perfect storm of missing checks has led to a maximum-severity vulnerability in SandboxJS, a library designed to safely execute untrusted JavaScript code. Tracked as CVE-2026-23830, the flaw carries a CVSS score of 10, indicating that it is both trivial to exploit and catastrophic in its impact.

The vulnerability is a Sandbox Escape that allows attackers to break out of the confined environment and execute arbitrary code on the host machine with full privileges.

The core of SandboxJS’s security model relies on replacing dangerous global objects (like Function) with safe, sandboxed versions. However, security researchers discovered a glaring oversight: the library forgot to lock down the “Async” family of functions.

“The library did not include mappings for AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction,” the report explains.

While these constructors aren’t directly exposed as global properties, they are easily accessible through a back door: the .constructor property of any instance.

The exploit path is elegant but deadly. By creating a simple async function inside the sandbox—e.g., (async ()=>{}).constructor—an attacker can retrieve the real, un-sandboxed AsyncFunction constructor from the host environment.

“Since AsyncFunction was not in the safe-replacement map, the executor returns the actual native host AsyncFunction constructor,” the advisory notes.

Once an attacker has a handle on this native constructor, the sandbox is effectively dissolved. They can create new functions that execute in the global scope, “bypassing all restrictions and gaining full access to the host environment (Remote Code Execution)”.

Because this flaw grants access to the host environment, the impact is absolute. “A remote code execution, attacker may be able to run an arbitrary code,” potentially stealing secrets, modifying files, or launching further attacks.

The vulnerability affects all versions of SandboxJS prior to 0.8.26.

Maintainers have released a patch in version 0.8.26 that correctly maps and isolates these asynchronous function constructors. Developers relying on SandboxJS to secure their applications must upgrade immediately, as a CVSS 10 rating implies that exploitation is likely straightforward and widely damaging.

Related Posts:

• CVSS 9.8 Sandbox Escape: Critical vm2 Flaw Exposes Millions of Apps
• Critical UAF Vulnerability Discovered in Ladybird Browser Engine (CVE-2025-47154)
• Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
• CVSS 9.8 Flaw in macOS Allows Apps to Access Protected User Data, PoC Available